This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between Students of Georgetown, Inc. (herein “SG”) and any Shopify storefront customer (the “Data Subject”) wherein: 

(A) SG acts as a Data Controller.

(B) SG wishes to provide services to the Data Subject, which imply the processing of personal data.

(C) SG seeks to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as well as the California Consumer Privacy Act of 2018 (CCPA).

(D) SG wishes to lay down its rights and obligations


1.Definitions and Interpretation

1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1 “Agreement” means this Data Processing Agreement;

1.1.2 “Data Subject Personal Data” means any Personal Data Processed by SG or any contracted processor on behalf of SG pursuant to or in connection with the Principal Agreement;

1.1.3 “Contracted Processor” means a Subprocessor;

1.1.4 “Data Protection Laws” means EU Data Protection Laws, the CCPA and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 “EEA” means the European Economic Area;

1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;

1.1.8 “CCPA” means the California Consumer Privacy Act 2018;

1.1.9 “Data Transfer” means: a transfer of Company Personal Data from SG to a Contracted Processor; or an onward transfer of Data Subject Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.1.9 “Services” means the storage or catering services SG provides.

1.1.10 “Subprocessor” means any person appointed by or on behalf of SG to process Personal Data on behalf of SG 

1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2.Processing of Customer Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Subject Personal Data;

3.SG Personnel

SG shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Subject Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.


4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Data Subject Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, CCPA and other relevant data laws and regulations.

4.2 In assessing the appropriate level of security, SG shall take account in particular of the risks that are presented by Processing, in particular from a Data Subject Personal Data Breach.


5.1 SG shall not appoint (or disclose any Data Subject Personal Data to) any Subprocessor unless required for the explicit delivery of services or authorized by the Data Subject.

6.Data Subject Rights

6.1 Taking into account the nature of the Processing, SG shall ensure its ability to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.Personal Data Breach

7.1 SG shall notify Data Subject without undue delay upon SG becoming aware of a Personal Data Breach affecting Data Subject Personal Data.

7.2 SG shall cooperate with the Data Subject and take reasonable steps to provide an investigation, mitigation and remediation of each such Personal Data Breach.

8.Deletion or return of Company Personal Data

8.1 At checkout, Students of Georgetown, Inc. (herein “SG”), requires some limited personal information (customer name, netID, current address and desired order parameters)  in order to process an order. This data shall be processed uniquely for the purpose of fulfilling an order and shall not be shared with any third parties beyond those immediately necessary for handling the customer order. The data shall be held at most for a period of two years after the purchase date or six months after the order fulfilment date, whichever is shorter. 

9.General Terms

9.1 Confidentiality. SG must keep this Agreement and information it receives about the Data Subject and their personal data in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Data Subject except to the extent that:

(a) disclosure is required by law;
(b) the relevant information is already in the public domain.

10.Governing Law and Jurisdiction

10.1 This Agreement is governed by the laws of the District of Columbia and the United States, with attempts made wherever possible to follow the laws of other jurisdictions.